#!/bin/bash
#Author:Johnny.Feng
#fengjihu@chnvideo.com
. /etc/init.d/functions
#开启iptables服务
function set_Iptables(){
iptables -F
iptables -X
iptables -Z
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 9022 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
/etc/init.d/iptables save
}
#关闭不需要的服务
function stop_Service(){
echo "Only start sshd|network|rsyslog|crond|iptables!" > /dev/null
service=($(ls /etc/init.d/))
for i in ${service[@]}; do
case $i in
sshd|network|rsyslog|crond|iptables)
chkconfig $i on;;
*)
chkconfig $i off;;
esac
done
[[ $? == 0 ]] && action "Close Non-essential service!!" /bin/true || action "Close Non-essential service!!" /bin/false
}
#修改ssh配置
function set_ssh(){
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change GSSAPIAuthentication yes to no " /bin/true || action "Restart ssh service" /bin/false
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change UseDNS yes yes to no " /bin/true || action "Restart ssh service" /bin/false
sed -i 's/#Port 22/Port 9022/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change port 22 to 9022 " /bin/true || action "Restart ssh service" /bin/false
echo -e "\033[31mNote: SSH PORT Change to 9022\033[0m"
service sshd restart
[[ $? == 0 ]] && action "Restart ssh service" /bin/true || action "Restart ssh service" /bin/false
}
#更改时区为上海
function change_zone_Shanghai(){
mv /etc/localtime /etc/localtime.`date +%Y%m%d`
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cat > /etc/sysconfig/clock <<EOF
ZONE="Asia/Shanghai"
UTC=false
ARC=false
EOF
[[ `date -R |awk '{print $6}'` == '+0800' ]] && action "Change zone to Shanghai" /bin/true
}
#设置文件数限制
function file_limit() {
grep "soft nofile" /etc/security/limits.conf > /dev/null
if [[ $? != 0 ]];then
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65535
EOF
else
:
fi
[[ $? == 0 ]] && action "Set file limit" /bin/true;echo -e "\033[32mPlese reboot system,make it changed.\033[0m" || action "Set file limit" /bin/false
}
#关闭SElinux
function disabled_selinux() {
grep SELINUX=disabled /etc/selinux/config >/dev/null
if [[ $? != 0 && getenforce != "Disabled" ]];then
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
[[ $? == 0 ]] && action "Change SELINUX enforcing to disabled" /bin/true || action "Change SELINUX enforcing to disabled" /bin/false
setenforce 0
[[ $? == 0 ]] && action "Close SELINUX" /bin/true || action "Close SELINUX" /bin/false
else
action "Close SELINUX already seted." /bin/true
fi
}
#设置sysctl
function set_sysctl() {
cat > /etc/sysctl.conf <<EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p > /dev/null
[[ $? == 0 ]] && action "Change Sysctl.conf" /bin/true || action "Change Sysctl.conf" /bin/false
}
#设置同步时间服务器
function set_synctime() {
count=$(crontab -l | grep ntpdate | wc -l)
chkconfig --list | grep ntp >> /dev/NULL
if [ $? != 0 ];then
echo "Ntpdate not install,now install it." > /dev/null
yum -y install ntp > /dev/null
[[ $? == 0 ]] && action "Install Ntpdate" /bin/true || action "Install Ntpdate" /bin/false
count = $(crontab -l | grep ntpdate | wc -l)
if [[ ${count} == 0 ]];then
echo "0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1" >>/var/spool/cron/root
else
:
fi
else
if [[ ${count} == 0 ]];then
echo "0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1" >>/var/spool/cron/root
else
:
fi
fi
echo -e "Now time is: \033[32m$(/usr/sbin/ntpdate cn.pool.ntp.org)\033[0m" && action "Sync time" /bin/true || action "Sync time" /bin/false
}
#从本地添加YUM源
function add_yum_location() {
yes | cp ./yum/10gen.repo ./yum/epel.repo ./yum/ajenti.repo ./yum/cobbler-config.repo ./yum/epel-testing.repo /etc/yum.repos.d/ > /dev/null
[[ $? == 0 ]] && action "Copy repo file." /bin/true || action "Copy repo file." /bin/false
yum clean all >/dev/null
[[ $? == 0 ]] && action "Clear yum cache." /bin/true || action "Clear yum cache." /bin/false
echo -e "\033[32mYum makecache may take some times.\033[0m"
yum makecache > /dev/null
[[ $? == 0 ]] && action "Yum Makecache." /bin/true || action "Yum Makecache." /bin/false
}
#安装lrzsz
function install_lrzsz(){
rpm -qa | grep lrzsz > /dev/null
if [[ $? != 0 ]];then
yum -y install lrzsz > /dev/null
[[ $? == 0 ]] && action "Install lrzsz." /bin/true || action "Install lrzsz." /bin/false
else
action "Lrzsz already installed." /bin/true
fi
}
#主程序部分
#export LANG=zh_CN.GB18030
#判断是否为root用户
if [ $(id -u) != 0 ];then
echo "Must be root can do this script."
exit
fi
#判断系统
platform=`uname -i`
version=`lsb_release -r |awk '{print substr($2,1,1)}'`
if [[ $platform != "x86_64" && $version != 6 ]];then
echo "This script is only for CentOS6 64bit Operating System !"
exit
fi
if [[ $1 == "" ]];then
#执行操作
serviceList=(disabled_selinux change_zone_Shanghai add_yum_location set_synctime stop_Service set_ssh set_sysctl file_limit install_lrzsz set_Iptables)
for i in ${serviceList[@]}; do
${i}
[[ $? == 0 ]] && action "${i}" /bin/true || action "${i}" /bin/false
done
else
$1
fi
#disabled_selinux
#change_zone_Shanghai
#add_yum_location
#set_synctime
#stop_Service
#set_ssh
#set_sysctl
#file_limit
#install_lrzsz
#set_Iptables
#Author:Johnny.Feng
#fengjihu@chnvideo.com
. /etc/init.d/functions
#开启iptables服务
function set_Iptables(){
iptables -F
iptables -X
iptables -Z
iptables -I INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 9022 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
/etc/init.d/iptables save
}
#关闭不需要的服务
function stop_Service(){
echo "Only start sshd|network|rsyslog|crond|iptables!" > /dev/null
service=($(ls /etc/init.d/))
for i in ${service[@]}; do
case $i in
sshd|network|rsyslog|crond|iptables)
chkconfig $i on;;
*)
chkconfig $i off;;
esac
done
[[ $? == 0 ]] && action "Close Non-essential service!!" /bin/true || action "Close Non-essential service!!" /bin/false
}
#修改ssh配置
function set_ssh(){
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change GSSAPIAuthentication yes to no " /bin/true || action "Restart ssh service" /bin/false
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change UseDNS yes yes to no " /bin/true || action "Restart ssh service" /bin/false
sed -i 's/#Port 22/Port 9022/' /etc/ssh/sshd_config
[[ $? == 0 ]] && action "Change port 22 to 9022 " /bin/true || action "Restart ssh service" /bin/false
echo -e "\033[31mNote: SSH PORT Change to 9022\033[0m"
service sshd restart
[[ $? == 0 ]] && action "Restart ssh service" /bin/true || action "Restart ssh service" /bin/false
}
#更改时区为上海
function change_zone_Shanghai(){
mv /etc/localtime /etc/localtime.`date +%Y%m%d`
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cat > /etc/sysconfig/clock <<EOF
ZONE="Asia/Shanghai"
UTC=false
ARC=false
EOF
[[ `date -R |awk '{print $6}'` == '+0800' ]] && action "Change zone to Shanghai" /bin/true
}
#设置文件数限制
function file_limit() {
grep "soft nofile" /etc/security/limits.conf > /dev/null
if [[ $? != 0 ]];then
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65535
EOF
else
:
fi
[[ $? == 0 ]] && action "Set file limit" /bin/true;echo -e "\033[32mPlese reboot system,make it changed.\033[0m" || action "Set file limit" /bin/false
}
#关闭SElinux
function disabled_selinux() {
grep SELINUX=disabled /etc/selinux/config >/dev/null
if [[ $? != 0 && getenforce != "Disabled" ]];then
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
[[ $? == 0 ]] && action "Change SELINUX enforcing to disabled" /bin/true || action "Change SELINUX enforcing to disabled" /bin/false
setenforce 0
[[ $? == 0 ]] && action "Close SELINUX" /bin/true || action "Close SELINUX" /bin/false
else
action "Close SELINUX already seted." /bin/true
fi
}
#设置sysctl
function set_sysctl() {
cat > /etc/sysctl.conf <<EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p > /dev/null
[[ $? == 0 ]] && action "Change Sysctl.conf" /bin/true || action "Change Sysctl.conf" /bin/false
}
#设置同步时间服务器
function set_synctime() {
count=$(crontab -l | grep ntpdate | wc -l)
chkconfig --list | grep ntp >> /dev/NULL
if [ $? != 0 ];then
echo "Ntpdate not install,now install it." > /dev/null
yum -y install ntp > /dev/null
[[ $? == 0 ]] && action "Install Ntpdate" /bin/true || action "Install Ntpdate" /bin/false
count = $(crontab -l | grep ntpdate | wc -l)
if [[ ${count} == 0 ]];then
echo "0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1" >>/var/spool/cron/root
else
:
fi
else
if [[ ${count} == 0 ]];then
echo "0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1" >>/var/spool/cron/root
else
:
fi
fi
echo -e "Now time is: \033[32m$(/usr/sbin/ntpdate cn.pool.ntp.org)\033[0m" && action "Sync time" /bin/true || action "Sync time" /bin/false
}
#从本地添加YUM源
function add_yum_location() {
yes | cp ./yum/10gen.repo ./yum/epel.repo ./yum/ajenti.repo ./yum/cobbler-config.repo ./yum/epel-testing.repo /etc/yum.repos.d/ > /dev/null
[[ $? == 0 ]] && action "Copy repo file." /bin/true || action "Copy repo file." /bin/false
yum clean all >/dev/null
[[ $? == 0 ]] && action "Clear yum cache." /bin/true || action "Clear yum cache." /bin/false
echo -e "\033[32mYum makecache may take some times.\033[0m"
yum makecache > /dev/null
[[ $? == 0 ]] && action "Yum Makecache." /bin/true || action "Yum Makecache." /bin/false
}
#安装lrzsz
function install_lrzsz(){
rpm -qa | grep lrzsz > /dev/null
if [[ $? != 0 ]];then
yum -y install lrzsz > /dev/null
[[ $? == 0 ]] && action "Install lrzsz." /bin/true || action "Install lrzsz." /bin/false
else
action "Lrzsz already installed." /bin/true
fi
}
#主程序部分
#export LANG=zh_CN.GB18030
#判断是否为root用户
if [ $(id -u) != 0 ];then
echo "Must be root can do this script."
exit
fi
#判断系统
platform=`uname -i`
version=`lsb_release -r |awk '{print substr($2,1,1)}'`
if [[ $platform != "x86_64" && $version != 6 ]];then
echo "This script is only for CentOS6 64bit Operating System !"
exit
fi
if [[ $1 == "" ]];then
#执行操作
serviceList=(disabled_selinux change_zone_Shanghai add_yum_location set_synctime stop_Service set_ssh set_sysctl file_limit install_lrzsz set_Iptables)
for i in ${serviceList[@]}; do
${i}
[[ $? == 0 ]] && action "${i}" /bin/true || action "${i}" /bin/false
done
else
$1
fi
#disabled_selinux
#change_zone_Shanghai
#add_yum_location
#set_synctime
#stop_Service
#set_ssh
#set_sysctl
#file_limit
#install_lrzsz
#set_Iptables
4431
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
